Sacreware?

A friend of mine called today with a issue. Seems he got one of those viruses that locks your PC down and demands money to unlock. I forget the exact details of the message though.

At any count, its a laptop and he has no other PC around. I asked him to bring it over to me to have a look at later and Im thinking of running Malwarewarebytes from a USB in SafeMode.


Sorry I can't give any specifics I only know what I was told. Haven't actually seen it yet but he did say he couldn't do anything but see the
site where you need to pay.
I told him not to pay anything as well.

If I remember correctly, this should get him back up and running correct?
If not, any suggestions. Or anyone have hands on with this virus that can offer insight.

This is called ransomware, kidnapping a PC for payment. You might ask Jacee for help, I think she's dealt with these types before.

One of these or similar.

Remove the FBI MoneyPak Ransomware or the Reveton Trojan

Remove the FBI Anti-Piracy Warning MoneyPak Ransomware

Wishmaster,

If you wish, follow these instructions. I've provided them to Users, who ran them successfully, several times.

Let's use HitmanPro.Kickstart to access your computer, scan it for malware, and remove this infection. The program targets this ransomware.


Also, you may want to print these instructions, so they are available to follow.


Now, load a USB flash drive with HitmanPro.Kickstart as follows...
Note: the contents of the USB flash drive are erased during this process!


Use a clean (non-infected) computer, and download:
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight


Under Download (on the right) select the program applicable to the system: 64-bit?


When HitmanPro opens, click the KickStart icon at the bottom of the screen.


>>Plug in the USB flash drive.


When the USB flash drive is detected, a selection screen is presented.
Select the USB flash drive from the choices, and press: Install Kickstart
A warning that all contents of the selected flash drive will erase is presented.
Press: Yes


As the HitmanPro.Kickstart files are loaded, a progress indicator is shown on the screen.
Once the process is completed a screen is presented with the contents of HitmanPro.Kickstart

Remove the USB flash drive from the clean computer and press: Close



Now, with the ransomed computer shut down, plug the USB flash drive into a USB port, and turn on the power.


When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)

From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)
Info: How to Remove Ransomware - Select Real Security


Once you select the USB flash drive to boot from, press: Enter


A Kickstart prompt with USB boot options appears.
Select: 1 (Bypass the Master Boot Record (Default))


The system continues to boot from the hard drive and starts Windows.

If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally

When Windows boots, you either get a logon screen, or the Desktop is started.
If you see a logon screen with your User name, logon with it.


In the next prompt that appears, to start the program without installing to the local hard disk, select the option to do a: One-time scan to check the computer.

To start scanning for malware press: Next


If malware is detected, the program shows what malware is present on the system using a red framed screen as shown below:

Select Next to quarantine the malware into a secure storage where it can no longer start.


At the next screen, activate the 30-day free license:

After successful activation (30 days), press: Next


A screen indicating that the malware was successfully disabled or removed is presented.
Press: Next


To obtain a report of the scan results, press: Save log
>>Save the Notepad log to the Desktop<<
It has a name such as: HitmanPro_xxxxxxxx_xxxx


Remove the USB drive, and press: Reboot
If no malware is found, press: Close


After HitmanPro.Kickstart is done, you should be back into normal Windows.


Please post the HitmanPro log in your reply. <<Important!




~~~~
To remove any remnant malicious files of the ransomware...


Download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system: x64 (?)
Click the dark-blue button to download.
Save to the Desktop.


Close all windows and browsers.

Right-click and select: Run as Administrator


At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)


Press: SCAN


When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply. <<Important!


A matter of concern is whether there "something else" is in the system, so looking at these reports is a wise decision.

Hi wishwasher,

Do you have a USB flash drive handy ? If so back it up cause creating a HitmanPro Kickstart flash drive will wipe the flash drive .

Choose your OS version x64-bit or x32-bit

Downloads - SurfRight


Open HITMAN pro on an uninfected pc click the KickStart icon( flying kick ) at the bottom of the screen.

Plug in the USB flash drive.

When the USB flash drive is detected, a selection screen is presented.
Select the USB flash drive from the choices, and press: Install Kickstart
A warning that all contents of the selected flash drive will erase is presented.
Press: Yes


Remove the USB flash drive from the clean computer and press: Close


Plug the USB flash drive into a USB port of the infected pc

When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)
From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)

Info: How to Remove Ransomware - Select Real Security

Once you select the USB flash drive to boot from, press: Enter

A Kickstart prompt with USB boot options appears.
Select: 1 (Bypass the Master Boot Record (Default))

The system continues to boot from the hard drive and starts Windows.
If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally

When Windows boots, you either get a logon screen, or the Desktop is started.
If you see a logon screen with your User name, logon with it.

In the next prompt that appears, to start the program without installing to the local hard disk, select the option to do a one-time scan to check the computer.

Click Next to start the scan . If the ransomware is found click on Next

On the product activation screen activate the 30-day trial

Save the log onto your desktop by clicking on Save log and upload the log

Once you're inside Windows we will run some other scans

Don't need two of the same directions . We will be waiting for the logs .

My aunt had this issue, I fixed it running windows defender offline from a usb stick and that let me back into the machine. Then I was able to clean more junk out with malwarebytes and mse. while cleaning out some stuff manually like tool bars and add ons

There's a download link below in the article , just get the 32bit versionhttp://blogs.technet.com/b/security/...r-offline.aspx

I hope I was able to help, this is what helped me out with that problem. Good luck cleaning out his machine.

Never heard of this kind of virus before. Sounds interesting. How exactly does it lock you out of the computer?

Element7 said:

Never heard of this kind of virus before. Sounds interesting. How exactly does it lock you out of the computer?

Puts a big screen on your screen saying the fbi has locked your computer and that you have 24 hours to pay a ransom say like $100 to unlock your computer and drop futher charges and if you don't they will sue you. It's just a fake police alert saying they caught you downloading music or watching stuff like illegal porn ect it mentions them in the locked screen saying it could be one of those but its a load of bull and a scan with windows defender offline on a usb can get rid of it easy from my experience. Basically just doesn't let you use it at all, like if you would of put your computer in locked mode with a warning screen. Saying to pay them with bitcoin payments from the one i saw on my aunts or ask for some other way to pay and shows a link to were you can pay them to there bitcoin account or w/e they use.

OK thanks everyone! :)

Wont know anything more untill tommorow but Ill let you know how it goes.
Will likely be back for more help depending on the situation.

M1GU31 said:

Element7 said:

Never heard of this kind of virus before. Sounds interesting. How exactly does it lock you out of the computer?

Puts a big screen on your screen saying the fbi has locked your computer and that you have 24 hours to pay a ransom say like $100 to unlock your computer and drop futher charges and if you don't they will sue you. It's just a fake police alert saying they caught you downloading music or watching stuff like illegal porn ect it mentions them in the locked screen saying it could be one of those but its a load of bull and a scan with windows defender offline on a usb can get rid of it easy from my experience. Basically just doesn't let you use it at all, like if you would of put your computer in locked mode with a warning screen. Saying to pay them with bitcoin payments from the one i saw on my aunts or ask for some other way to pay and shows a link to were you can pay them to there bitcoin account or w/e they use.

Wow! Sounds like a pretty advanced and creative virus. Good to hear that it isn't too hard to get rid of.